A REVIEW OF SECURITY THREATS AND MITIGATION SOLUTIONS FOR SDN STACK

Transcription

1 Volume 115 No , ISSN: (printed version); ISSN: (on-line version) url: ijpam.eu A REVIEW OF SECURITY THREATS AND MITIGATION SOLUTIONS FOR SDN STACK Prabhakar Krishnan 1 and Jisha S Najeem 2 Amrita Center for Cybersecurity Systems and Networks Amrita School of Engineering, Amritapuri Amrita Vishwa Vidyapeetham Amrita University, India kprabhakar@am.amrita.edu Abstract: Software-Defined-Networking (SDN) is a paradigm shift that re-thinks conventional legacy network design/operations/abstractions and makes future networks openly programmable, controllable, scalable and affordable. As a game changer in modern internetworking technologies, SDN is widely accepted by enterprises, with use in domains ranging from private home networks to small/medium scale workgroup networks to corporate backbone to large-scale wide-area cloud networks. Employing SDN in modern networks provides the much needed agility and visibility to orchestrate and deploy network solutions. But from the security perspectives in terms of threat attack prediction and risk mitigation, especially for the advanced persistent attacks such as DDoS and side channel attacks in Clouds, SDN stack control plane saturation attacks, switch flow table exhaustion attacks - there are still open challenges in SDN environments. In this paper, at first, we present the taxonomy of threats, risks and attack vectors that can disrupt the SDN stack and present various approaches to solve these problems, to deploy SDN securely in production environments. We survey existing research on SDN and the results of our thorough analysis, comparative study of key principles, trade-offs and evaluation of the well-known techniques for SDN security are also presented. To address the key shortcomings and limitations of the existing solutions, we propose our future work a novel framework to effectively monitor and tackle the SDN security issues. Our proposed framework includes a dynamic security semantic monitoring system that decouples monitoring from packet forwarding, and offers flexible fine-grained monitoring, which also integrate well with the SDN architecture. This system will employ machinelearning techniques for fingerprinting, accurate detection of behavioral patterns; attack flows and anomalies in the SDN based networks. Keywords: Software-Defined- Networking,SDN,OpenFlow,network security monitoring. 1. Introduction Software Defined Networking (SDN) is the widely discussed paradigm in the inter-networking technologies today. SDN is an open network architecture proposed in recent years to address some of the key shortcomings of traditional networks. The proponents of SDN argued that the control logic of the network and network functions are two separate concepts, and should therefore be separated in different layers. To this end, SDN hence introduced the concepts of Control plane and data plane: The centralized control plane (from here on, called as controller) manages the network logic, control trafficengineering functions from the data plane (from here on, called as switch-es) that just take care of forwarding the packets between the networks. So the SDN can be considered as a physically distributed switching framework with a logically centralized control.sdn is designed for provisioning highly dynamic orchestration and quality of service/security policies. Beside SDN related security applications and routing mechanisms applications and mechanisms, current modern networks expect numerous other functionalities and policies ranging from traffic shaping to network virtualization and custom packet processing to quality of service (QoS). While the programmability of SDN allows for fast prototyping, customizing network functions, enforcing range of QoS and high adaptability to configure policies for different scenarios, at the same time it also opens up new vectors for vulnerability, attacks and risks. Though the enterprises have already widely adopted SDN, researchers from both academia industry thoroughly analyzed its vulnerabilities, proposing solutions to improve its security and dependability many important security threats, efficient mitigation and trustworthy aspects of SDN systems and networks are still left uninvestigated. In this paper, we present our review, comparative study and analysis of security threat detection, defense mitigation mechanisms from prior research. For each of the defense technique, we provide a discussion about the principle assumptions made, scope, advantages and 93

2 limitations of the proposed defense and mitigation strategy. SDN is a general architectural principle: it broadly defines general guidelines and overall architecture. In this paper, while discussing SDN in real deployments, we refer to specific SDN implementations and OpenFlow protocol as the communication channel between SDN elements, primarily due to its wide adoption in industry (including companies such as Google and Microsoft). However, it is worth noting that all our recommendations, evaluation, considerations inferences are not specifically tied to any one particular SDN stack/openflow, but hold true in general for any open networking standard SDN stack. This paper is organized as follows: Section I provides an introduction to the SDN threat landscape and sets the context, emphasis to advance this research in SDN security Section II provides an overview of the Security Threats, Risks and Attack Vectors to SDN architecture, Section III furnishes a time-line of prior research work and detailed evaluation of the related works in SDN security, Section IV provides a general outlook of our future work and concludes the paper. 2. Security Threats, Risks And Attack Vectors To Sdn Architecture In this section, we will categorize the threat and attack vectors in SDN architecture of an enterprise network. While having a logically centralized controller(s) allows improving the policy-deciding process, distributing the policyenforcement process across the switch (es) introduces new risks and security threats with regard to information disclosure. In legacy networks, the complete network functions are relegated to the specific network devices for implementing them independently, thus providing autonomous control over configuration and access. In SDN based networks, only the policy-rule enforcement part of the network functions are distributed/delegated throughout the data plane switches ( Openflow). Thus, network policies, traffic shaping, security, QoS functionalities like Intrusion detection and prevention systems, network virtualization, bandwidth management and access control, are enforced by the switches (Openflow), through the flow rules installed by the controller, programmed by specific SDN applications running in application plane. Unfortunately, this dynamic programmable behavior can considerably broaden the attack surface of the whole SDN based network. Threats to SDN can be classified into three main categories at high level based on : a) behavior characteristics, b) based on resources and c) key functional components. The most common methods of attacks can be: 1. Spoofing 2. Man in the Middle attack 3. Tampering 4. Repudiation 5. Information Disclosure 6. Denial of Service - Flooding/Saturating Attacks An attacker can attack the SDN elements or an attacker can attack the control plane of SDN. Some top security problems includes: Interception and alteration of SDN control plane packets. Rogue SDN controller that attempts to alter configurations of network elements. Flashing of network element firmware with customized software (malicious software, persistent bootkits). Downgrade of network element firmware to an old version (or simply out-of-date version). At the edge or gateway (Network Edge Device NED) - Is the NED trusted? e.g., is the base software (OS, software switch, etc.) the one expected. Are only the user specified Security Application running in the NED and inspecting the traffic? Can the user be sure that no other applications are handling the data? A general clarification of threats to critical functions/communication channels of SDN stacks, as shown in Fig 1: Figure 1. Attacker searching for potential targets We have also examined and categorized the risks consequences of attacks to communication at boundary, interface between layers of the SDN architecture. Our systematic study of risks to SDN is described in the Table 1 below: Table 1. A Sample Risk Categorisation 3. Defense And Threat Mitigation Approaches 94

3 When considering potential defense countermeasures, the problem is that the main strength of the SDN architecture the programmability itself is the major vulnerable aspect exploited at will by sophisticated attack campaign. Also this core pivotal feature of SDN cannot be removed completely as it may nullify the fundamental operation of SDN So researchers have implemented countermeasures with custom programs or modifications or extensions to SDN elements, but taking advantage of this SDN programmability. Discussion on Solution Approaches: In this section, we analyze and compare approaches that are proposed for securing the SDN Architecture in prior research. Our analysis is based on various evaluation criteria and fundamental attributes of secure communication network Confidentiality, Integrity, and Availability, portability and modifications to existing SDN elements, secure monitoring mitigation overhead, Efficacy of the approach in more sophisticated attack environment. 2) Control plane Extending the functionality of listed in the following Table 2. Here we identify and discuss sures as: 1. Data plane or OF switch 2. Control 1) Application plane Running the security monitoring application and interacting with the controller to ensure trust policies, validating the flow rules and enforcement in SDN elements. 3) Data plane Hardening the switch, by implementing loadable modules either in hardware-switching logic or in packet processing logic. Flow tables analytics, connection proxy and migration, DDoS rate-limiting functions. 4) Control-Data Plane Co-operative system Control plane process and switch module interacting through agent processes, some control logic operations offloaded to the switch or creating a intermediate proxy control layer in the switch. 5) Multi-Plane Co-operative Framework - Multi plane/layer co-operative monitoring framework that consists of active probes/sensors that can be implemented in both agent-based and agent-free mode. The management and defense control, chain of trust and policy enforcement implemented utilizing the standard protocols controllers and new monitoring and defense mechanisms implemented into the control logic. (Openflow, IPFIX, Netflow, sflow or SNMP) that are supported by most vendors. 6) Middlebox system Offloading the security aspect to another network device/element in the SDN architecture (similar to IDS) through Standard communication channel API such as Openflow/Netflow. A. Difane Existing network mechanisms rely highly on SDN controllers, results in scalability issues and performance degrades. The first proposal that came is DIFANE (Doing it Fast and Easy)[1], a scalable distributed flow based novel 95

4 Figure 3. Various Solution Approaches architecture that provides an ecient result keeping track of the network flow in the data plane, by extracting particular or critical flows through the intermediate open Vswitches that store particular flow rules. The DIFANE architecture encapsulates a distributed controller integrated with an authority switches that act as a subset of the existing SDN Open Vswitches in the network or legacy switches(including ingress/egress switches) incorporating colossal memory and processing capability. Once the traffic received from the ingress port of the host, does not match with the existing flow table in the Open Vswitch,the ingress switch directs the network traffic to the corresponding authority switch module in the DIFANE architecture and sends response to the corresponding ingress(gateway)switch. Following network packets matching the flow rules are then redirected directly to the egress switch. B. Avant-Guard Shin et. Al[2] introduced AVANT-GUARD to the SDN Switch (OVS) called Open vswitch, another countermeasure for attacks on control plane integrates two modules : (1) connection migration module,, in the Openflow vswitch to detect network saturation attacks such TCP SYN attacks. (2) actuating trigger, continuously notify the network status and prior information about the payload and headers to the control plane. The above method shielded the control plane from TCP SYN floods but opened up a vulnerability to buffer attacks. C. Lineswitch LineSwitch[3], solution at the data plane switch level, Their implementation approach improves on AVANT- GUARD on 2 aspects:1. efficient buffer-overflow detection mechanisms and 2.less connection state management for proxy, using delayed TCP connection migration method. D. Openflow Extension Framework-Ofx Motivated by customized OpenFlow extensions and modules by Avant guard came another framework OFX module. AVANT-GUARD and Lineswitch has performance, overhead and deployment challenges. OFX [4] enables dependable SDN applications within an existing OpenFlow infrastructure, by dynamically loading software modules that includes security applications such as BotMiner, DDoS Detector etc. This OFX modules contains OFX library as a prerequisite to perform specific network monitoring tasks that emphasis as a new security functionality enabling data plane OFX agent to handle the module packets. Figure 4. Different approaches for securing SDN Architecture E. Kandoo Another vulnerability that limit the OVS includes overheads due to concurrent incidents in the data plane. Hence requires a new framework KANDOO[5], which gurantees a configurable and scalable secure control plane, that maintains the scalability issues by not altering the SDN switches. With efficient offloading of control applications, the two layer controllers approach, encapsulated in the KANDOO framework consolidates a bunch of controllers in the bottom layer and a logically distributed controller in the top layer maintaining the state of the art. KANDOO s framework allows operators to replicate existing controllers in the SDN based network, on the fly and this could lead to inconsistent bottlenecks. F. Flood Guard One among the major drawback in AVANT-GUARD was the buffer saturation attack between control-data plane.to secure SDN networks from such attack FLOODGUARD [6], defense mechanism framework which is an efficient protocolindependent using proactive flow rule analyzer that effectively analyses the flow rules at run-time and packet migration in order to prevent from overloading the controller results in table-miss packets by temporarily storing the packets in the SDN controller using Threshold rate limit algorithms. G. Open Source Sdn Project Delta A new SDN security evaluation framework with two main functions: a) It can automatically instantiate attack cases against SDN elements across diverse environments, and b)it can assist in uncovering unknown security problems within an SDN deployment. Actuated by the existing pen-testing tools for traditional networking, DELTA is considered to be one of the prior work envisaged for benchmarking the SDN devices integrated with specific fuzzing techniques to determine concealed security flaws. 96

5 4. Future Work To address the key shortcomings and limitations of the existing solutions, we propose our future work a novel framework to effectively monitor and tackle the SDN security issues. Our proposed framework includes a dynamic security semantic monitoring system that decouples monitoring from packet forwarding, and offers flexible fine-grained monitoring, which also integrate well with the SDN architecture.more advanced defense mechanisms and mitigation approaches are needed to tackle these impending threats to the network and hence we envisage developing a open networking standard based framework for dynamic security monitoring and defense. In traditional networks, traffic monitoring is typically done at routers or middle-boxes, with the collected information being reported to a central collector where the network management applications are running. In Modern dynamic networks, numerous security-monitoring systems based on programmable SDN are available, but it is difficult to evaluate how they perform, especially in largescale networks. For the SDN traffic security monitoring we propose to develop a system that decouples monitoring from forwarding, a fine-grained network flows monitoring, which is an important capability for effective real time detection of security threats attacks. This should offer flexible, dynamic and fine-grained flow based monitoring that integrates well with the current SDN architecture. We are also investigating applications, which can utilize such a distributed SDN security-monitoring framework. The role of this framework will be to provide monitoring and security at each layer and interface. The key security aspects include: access control,data protection and detection of network attacks such as Denial-of-Service, Spoofing, session hijacking, network protocol poisoning, topology tampering and information disclosure scanning, etc. In our future work, we will apply machine-learning techniques for accurate detection of behavioral patterns, fingerprinting, attack flows and anomalies in the SDN based networks. We believe that advanced machine learning methods can be successfully applied to detect and classify the baseline and anomalous behaviors in the communication channel in the SDN architecture. Eg. The Northbound Interface between Controller-Applications, The Southbound Interface Openflow protocol between Controller-Switch. In real word large networks, there can be complex interconnected network topologies that consist of a rootnetwork and several sub-networks, each network with separate network policies. In such scenarios, as the Attacker scans learns the entire network configuration for staging an attack through sidechannels or northbound/southbound channels, the framework should have multi-criteria flow analyzer that can process data from many switches, detect and prevent such attacks. We also plan to develop reference hardened secure SDNstack, Security application modules and conduct experiments. We will measure the efficacy of this framework in terms of network resources, Meta data flow database, acceptable memory and computational overhead for analytics, latency and other resource usage during attack time and also demonstrate the ability to detect and filter large percentage of attack flows, achieve the lowest acceptable False Positive Rate, in real world network management. Figure 5. Conceptual Deployment scheme of MP-SNOS in SDN network 5. Conclusion SDN has been a popular research area in recent years, especially in relation to traffic engineering, network orchestration, QoS and Security. Despite significant research efforts, to the best of our knowledge very few works have addressed the security threats and attack vectors at all planes, the tradeoff between performance and fine-grained monitoring, dependability on SDN, to build a cooperative security framework for the whole SDN based network. In this paper, we presented a comprehensive study of the vulnerabilities, threats and risks in the SDN architecture, in various real life scenarios. We also proposed a novel framework that makes use of fine-grained security network semantic monitoring to detect and defend the SDN based networks. We also aspire to improve the overall network security, specifically the SDN stack, by advancing the state of the art through optimizations and hardened-network-operating-system. References [1] M. Yu, J. Rexford, M. J. Freedman, and J. Wang, Scalable flow-based networking with difane, ACM SIGCOMM Computer Communication Review, vol. 40, no. 4, pp ,

6 [2] S. Shin, V. Yegneswaran, P. Porras, and G. Gu, Avant-guard: scalable and vigilant switch flow management in software-defined networks, in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013, pp [3] M. Ambrosin, M. Conti, F.De Gaspari, and R. Poovendran, Lineswitch: Efficiently managing switch flow in softwaredefined networking while effectively tackling dos attacks, in Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. ACM, 2015, pp [4] J. Sonchack, A. J. Aviv, E. Keller, and J. M. Smith, Enabling practical software-defined networking security applications with ofx, in Proceedings of the 2016 Network and Distributed System Security Symposium (NDSS), [5] S. Hassas Yeganeh and Y. Ganjali, Kandoo: a framework for efficient and scalable offloading of control applications, in Proceedings of the first workshop on Hot topics in software defined networks. ACM, 2012, pp [6] H. Wang, L. Xu, and G. Gu, Floodguard: a dos attack prevention extension in software-defined networks, in Dependable Systems and Networks (DSN), th Annual IEEE/IFIP International Conference on. IEEE, 2015, pp [7] K.-y. Chen, A. R. Junuthula, I. K. Siddhrau, Y. Xu, and H. J. Chao, Sdnshield: Towards more comprehensive defense against ddos attacks on sdn control plane, in Communications and Network Security (CNS), 2016 IEEE Conference on. IEEE, 2016, pp [8] R. Bifulco, J. Boite, M. Bouet, and F. Schneider, Improving sdn with inspired switches, in Proceedings of the Symposium on SDN Research. ACM, 2016, p. 11. [9] M. G. B. A. Nair, Mol and Nair, A mediator based dynamic server load balancing approach using sdn, in International Journal of Control Theory and Applications, 2016, pp [10] M. Conti, F. De Gaspari, and L. V. Mancini, Know your enemy: Stealth configuration-information gathering in sdn, arxiv preprint arxiv: , [11] Y. Sung, P. K. Sharma, E. M. Lopez, and J. H. Park, Fs-opensecurity: A taxonomic modeling of security threats in sdn for future sustainable computing, Sustainability, vol. 8, no. 9, p. 919, [12] P. Krishnan and J. Najeem, A multi plane network monitoring and defense framework for sdn operational security, in International Conference on Operating System Security (ICOSS 2017), [13] M. Dhanalakshmi, R.Dhivyalakshmi, R.G. Gajalakshmi, Mrs.K.DeepaThilak. Scalability and the bandwidth efficiency of VoD Systems, International Innovative Research Journal of Engineering and Technology, 2016, vol.2, pp

7 99

8 100